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On the morning of May 5, 2006, the OPP&P ISO briefly interviewed and requested a 
written statement from the employee concerning the theft of VA data from his home. 
The OPP&P ISO consulted with the GS-14 District ISO responsible for coordinating ISO 
activities among VACO staff offices, who in turn asked him to provide her a brief written 
description. Later that day, the employee provided the written statement to the OPP&P 
ISO as requested, noting that his personally-owned laptop computer and external hard 
drive were taken during the burglary and that VA data files containing personal 
identifiers had been stored on the missing external hard drive. Based in part on his 
review of VA data stored on CDs and a flash drive that had not been taken in the 
incident, the employee listed the files he believed were on the missing hard drive. 

The OPP&P ISO quickly edited the employee's statement to serve as the basis for his 
information security incident report, which he sent by electronic mail to the SOC and 
the District ISO shortly before 4:00 p.m. on Friday, May 5, 2006. The District ISO 
provided a copy of the report to the SOC on this same day. When editing the 
employee's statement, the OPP&P ISO deleted what he felt were unnecessary details 
of the burglary but also mistakenly changed the report to erroneously state that the CDs 
and flash drive — key evidence of what VA data were likely on the missing hard drive — 
had themselves been taken in the incident. This error resulted in a missed opportunity 
in the early stages of the incident to re-create the likely contents of the employee's 
laptop and external drive and to recognize the magnitude of the potential loss of data. 

Additionally, although the employee's report contained information on the number of 
records (6,744) at risk in the mustard gas file, the OPP&P ISO forwarded the 
information without attempting to determine or report the number of records in the other 
files the employee had on his hard drive. Simple follow-up questions on the nature of 
the contents and size of the BIRLS extract or C&P list would have shown that sensitive 
information on millions of veterans' records were at stake. Finally, the incident report 
did not contain the employee's name or other contact information to facilitate 
confirmation of the incident. 

The OPP&P ISO told us that after he filed the incident report with the information 
security officials, he was waiting on the results of an investigation into the matter by the 
SOC and did not take any further action. When asked if he re-interviewed the employee 
the following day (May 8, 2006) after May 5, the OPP&P ISO responded, "No. I took his 
email. I did not want to talk to him again. I didn't want to - if he had changed his mind 
or did whatever, I didn't want to know, and I didn't want to hear it. I didn't want to be 
involved with a conflict, having one statement or then having another statement and 
then having to go back. I didn't want that... If he had requested to talk to me, then I 
would have if he had something to share, but I gave him the opportunity to send the 
email and get everything in it. He sent it, and we've had no contact since." 

Because the OPP&P ISO also serves as the OPP&P PO, we asked him why he did not 
pursue this incident as a privacy issue. He responded that he was waiting for the SOC 
to investigate what files were missing and to determine if the loss was a privacy 
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violation. Ironically, 12 days after receiving the OPP&P ISO's incident report the SOC 
had referred the matter back to the ISO for action as a privacy violation. 

Cyber Security Operations Officials Did Not Ensure That a Timely Investigation 
and Notifications Were Made Concerning the Severity of the Data Loss 

A GS-13 information technology specialist in the SOC received the OPP&P ISO's e-mail 
regarding the incident on Friday, May 5, 2006, in the late afternoon. As the SOC 
incident management team lead, he was responsible for reviewing the reported event, 
determining whether the incident could be confirmed, prioritizing the incident as to its 
severity and urgency, determining the proper incident category, and initiating incident 
notifications. 

That same afternoon, the SOC incident management team lead left the OPP&P ISO an 
after-hours voice mail requesting a call back. The OPP&P ISO told us he did not 
receive that message until late on Monday, May 8, 2006, because he had been busy 
that day. On May 10, 2006, the SOC team lead notified the OPP&P ISO by e-mail that 
the SOC had established an incident case number for the event, that he should ensure 
the local privacy officer was notified, and that any additional pertinent information be 
forwarded to the SOC. In addition to the above confirmed contacts, the SOC team lead 
said that he called or left voice mail messages for the OPP&P ISO on other occasions 
following the incident, but the ISO told us he did not recall receiving these 
communications. In any event, 12 days lapsed without the SOC team lead and the 
OPP&P ISO, who work in the same building several floors apart, from making any 
progress in investigating or determining the severity of the incident. The SOC team 
lead told us that he determined that the incident appeared to be primarily a privacy 
incident rather than a cyber security incident, so he expected that the OPP&P ISO, as 
the OPP&P PO, had primary responsibility to obtain information on the event. 

Also on May 5, 2006, the District ISO advised her supervisor, Mr. Johnny Davis, Jr., of 
the possibility that sensitive data was stolen from a laptop of a VA employee. As the 
Director of the Cyber Infrastructure Protection Service, Mr. Davis has supervisory 
responsibility for the SOC, and also serves as the Acting Associate Deputy Assistant 
Secretary for Cyber Security Operations. Mr. Davis told us that this conversation 
occurred in passing in the hallway and that the District ISO did not have details on the 
nature of the missing data. Nonetheless, Mr. Davis said he directed her to ensure that 
the incident was reported to the SOC and the Privacy Office, and that he relied upon her 
as a GS-14 employee to carry out these instructions without the need for supervisory 
follow-up. While she did in fact submit a report to the SOC, the District ISO 
acknowledged that she became disengaged from the process, and Mr. Davis did not 
follow up further with her or the SOC team lead to determine whether any progress was 
being made. 

Mr. Davis also told us that the SOC routinely receives reports of incidents from ISOs, 
which they must attempt to confirm and analyze before making further notifications. 
According to Mr. Davis, however, national level incidents are to be brought to his 
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attention immediately so he can brief his supervisors. No such notifications were made 
because of the failure to develop timely information on the magnitude of the data loss by 
each person in the notification chain: the OPP&P ISO, the District ISO, and the SOC 
team lead. These failures were further compounded by Mr. Davis's failure to follow up 
on the actions of his staff. 

It was not until May 16, 2006, when Mr. Davis' supervisor, Mr. Pedro Cadenas, Acting 
Deputy Assistant Secretary for Cyber and Information Security, who also serves as the 
Acting Deputy Chief Information Officer (CIO), asked him about the incident that 
Mr. Davis followed up with his staff. Finally on May 17, 2006, 12 days after receiving 
notification in the SOC on the incident, the SOC team lead met with the OPP&P ISO in 
person, inten/iewed him, and began preparing an incident report. Mr. Davis provided a 
follow-up report to Mr. Cadenas, and Mr. Cadenas reported the results to his superiors. 
When asked why the notification was not made earlier, Mr. Cadenas told us that in 
accordance with their procedures, notification is only done after an incident has been 
validated as a cyber security incident. In this case, his staff had determined that it was 
a privacy matter and not a cyber security matter, and took steps that same day to 
ensure that the incident was entered into the privacy violation tracking system. 
Accordingly, the SOC had referred the incident back to the person who initially reported 
the incident 12 days earlier to the SOC, the OPP&P ISO, in his capacity as OPP&P PO, 
who had initially stated he did not want to talk to the employee again. 

Conclusion 

As the person responsible for making the first notification to information security 
officials, the OPP&P ISO failed to adequately and accurately describe the loss of data 
that occurred, particularly the magnitude of the number of records stolen. His failure to 
discharge his duties and responsibilities — whether by not re-interviewing the employee 
or by failing to respond to numerous contacts by the SOC — hampered other officials in 
understanding the true scope of the data breach and reacting accordingly. The OPP&P 
ISO acted as if he had no further responsibility after he notified the SOC. As the 
OPP&P privacy officer, the matter was eventually referred back to him for action. 

The absence of sufficient detail concerning the magnitude of the loss hampered the 
efforts of the SOC team lead to assess the severity of the incident. However, despite 
whatever difficulties the SOC team lead may have had reaching the OPP&P ISO by 
telephone; he was not sufficiently diligent in obtaining information about the incident. 
Since the two worked in the same building, the SOC team lead should have sought out 
the ISO by going to see him in his office. 

After reporting the incident to Mr. Davis on May 5, 2006, the District ISO became 
disengaged and took no further action to monitor the situation or keep her supervisor 
apprised of the status. Mr. Davis, who has supervisory responsibility for the SOC, 
learned of the incident on May 5, 2006, but did not follow up in a timely manner to 
ensure it was investigated and did not report it to his supervisor, Mr. Cadenas, so that 
notification could continue to the Chief Information Officer, Deputy Secretary, and 
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Secretary. Although the SOC team lead, Mr. Davis, and Mr. Cadenas said they thought 
the incident was a privacy issue, VA policy identifies the loss of sensitive computer data 
as a reportable information security incident. The failure to realize the magnitude of this 
incident, combined with a bureaucratic process that took 12 days to determine that this 
was a privacy issue and not an information system security issue, not only delayed 
notification to higher-management, it also resulted in the matter being referred back to 
where it originated, with the OPP&P ISO/PO. 

Recommendation 

Based on the circumstances presented in this section, we recommend that the 
Secretary take whatever administrative action he deems appropriate concerning the 
individuals involved. 
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Issue 5: Whether VA Policies Safeguard VA Information 

Existing VA policies, procedures, and practices need to be consolidated and 
strengthened to ensure that personal or proprietary information used by VA employees 
and contractors are adequately safeguarded. They also need to be readily accessible 
by VA and contract employees to ensure compliance. 

We found that VA's policies and procedures for safeguarding information and data were 
not consolidated or standardized to ensure all employees were following all applicable 
requirements in a similar fashion, and that policies and procedures were not adequate 
in preventing the loss of the data. We also found that VA employees and contractors 
were not adequately trained and reminded of the policies and procedures to follow to 
safeguard personal or proprietary information, sensitivity level designations were not 
always accurate, information and data provided to contractors need to be better 
safeguarded, and VA incident reporting procedures and controls need improvement. 

Since the incident in which millions of VA records containing protected information were 
stolen, VA managers have attempted to strengthen policies, procedures, and controls to 
prevent similar disclosures, but additional actions are need to be taken to safeguard 
protected information and VA's automated systems. Personal and proprietary 
information is referred to throughout this section as protected information. 

VA Policies, Procedures, and Practices Were Not Easy to Identify, Current, and 
Complete 

VA needs to consolidate and standardize policies, procedures, and practices for 
safeguarding VA protected information and ensure that they are accessible to 
employees and contractors. Our review found that policies and procedures have been 
issued at irregular intervals over a long period, and in separate guidelines, memoranda, 
directives, and handbooks, and in response to various laws and other legal 
requirements. As such, there was no consolidated repository of instructions and 
requirements that employees could research and follow, nor was there an adequate 
method for ensuring that all policies and procedures issued by VA were current. 
Managers in each of the administrations within VA have issued their own local policies 
and procedures which has increased the potential for inconsistencies and further 
fragmented directions provided to employees and contractors. 

The fragmentation of VA policies and procedures issued over a long period, and the 
issuance of numerous local policies and procedures issued independently by each 
administration within VA, contributed to many of the procedural and control 
inconsistencies that are noted throughout this report. 

To evaluate whether VA had policies and procedures in place to safeguard against the 
disclosure of protected information if the information was lost or stolen, we asked VA to 
provide us with all relevant policies and procedures. We received a fragmented number 
of policies and procedures that have been issued to employees by VA over time. We 
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researched and found other policies and procedures that were not provided to us In 
response to our request. 

To illustrate, VA provided us the following documents: 

• Security Guideline for Single-User Remote Access, March 10, 2006. 

• An April 20, 2006, memorandum from the Assistant Secretary for Information 
and Technology to remind all employees, contractors, students, and 
volunteers that they must complete Cyber Security Awareness training by 
September 30, 2006. 

• A February 1 3, 2006, memorandum from the Assistant Secretary for 
Information and Technology advising VA leadership of the requirement that 
they must complete the Enterprise Privacy Program privacy training by 
September 30, 2006. The memorandum also advises of other training 
options including two prepared by VHA. 

• VA Directive 6502, Privacy Program, June 20, 2003. 

• VA Handbook 501 1/5, Hours of Duty and Leave, September 22, 2005, which 
revised the policies and procedures for telework. 

In addition to the documents provided by VA, our research identified additional VA 
Directives and Handbooks on the subject of IT security and privacy of information: 

• VA Directive 6210, Automated Information Systems Security, 

January 30, 1997, and VA Handbook 6210, which establishes policies and 
procedures for cyber security. 

• VA Handbook 6502.1 , Privacy Violation Tracking System, March 25, 2004. 

• VA Handbook 6502.2, Privacy Impact Assessment, October 21 , 2004. 

• VA Handbook 6300.4, Procedures for Processing Requests for Records 
Subject to the Privacy Act, January 12, 1998. 

• VA Handbook 6300.5, Procedures for Establishing and Managing Privacy Act 
Systems of Records, January '12, 1998. 

Our review confirmed that there was no consolidated and current set of policies and 
procedures that employees and contractors could access to ensure all applicable 
requirements are being met. We found that the VA intranet posed a considerable 
challenge to employees seeking to learn about VA policies on privacy and cyber 
security. There was no direct link on the main VA home page to VA-wide directives; 
therefore, employees not familiar with the Office of Information Technologies Directives 
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Homepage must conduct multiple time-consuming searches and sort through tens of 
thousands of "hits" before locating pertinent directives. Without clearer directions on 
how to locate these directives, VA will not achieve compliance. 

We also found that managers within each region and local facility within VA developed 
and implemented their own policies and procedures on many of these requirements, 
which further subjected the criteria to multiple, differing interpretations. 

VA Policies and Procedures for Safeguarding Against the Disclosure of Protected 
Information Were Not Adequate to Prevent the Data Loss Incident 

VA did not have sufficient policies and procedures in place to prevent this recent data 
loss incident, or any other such incident, that would have involved the disclosure of 
protected information. We did not identify any VA policy that prohibited employees or 
contractors from removing protected information from the VA worksite, required 
employees or contract employees to obtain authorization before removing the 
information, prohibited the use of non-VA computers to process or store protected 
information, or that required safeguards such as password protection or encryption 
when protected information was stored on portable storage media or non-VA 
computers. 

VA Directive 6502, Privacy Program, which was provided to us by VA in response to our 
request, states that VA will ensure that all privacy-protected data maintained by or for, 
VA in any medium, is kept confidential, except when disclosure is permitted by law. The 
Directive does not specify how the information will be protected and does not require 
safeguards for proprietary information. 

The Privacy Service in the Office of Information and Technology is responsible for VA 
Directive 6502. The Director, Privacy Service, told us the administrations, particularly, 
VHA, have great latitude in terms of establishing local policies and, unless Privacy 
Service is asked to look at a policy, they "have no idea what exists out there." The 
Privacy Officer for VHA told us that they do not review all of the policies issued by field 
facilities. This decentralized approach to policy making leads to inconsistencies in 
protecting information. 

None of the employees we interviewed was able to identify a policy or other requirement 
in place prior to May 3, 2006, that established specific requirements for safeguarding 
protected information when removed from the worksite. One of the documents VA 
provided in response to our request was titled "Security Guidelines for Single User 
Remote Access" (Security Guideline), March 10, 2006. We determined that this 
document was not an approved or published VA Directive, Handbook, or policy at the 
time of the incident or at the time it was provided to us. Nonetheless, we reviewed the 
document and determined that the provisions did not provide adequate safeguards for 
information stored on portable media. Also, statements throughout the document 
indicate that the guidelines were only applicable to employees with remote access to 
the VA intranet. 
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Our research identified a reference to removing Privacy Act protected information in 
Section 9 of VA Handbook 6300.4, Procedures for Processing Requests for Records 
Subject to the Privacy Act, issued January 12, 1998. Paragraph b (2) of Section, 
Systems of Records on Personal Computers, states: 

"Records subject to the Privacy Act that are maintained on PCs must be 
protected from unauthorized disclosure in the same manner as all 
records subject to the Act. To ensure proper protection of records on 
'floppy disks,' procedures will be established by management to ensure 
these disks are not removed or used outside Government buildings or 
installations without proper authorization and documentation. 'Floppy 
disks' containing personal information subject to the Act will be properly 
secured when not in use to prevent unauthorized use or access." 

Not only is the Handbook outdated with respect to the current technology used to store 
information, employees would not be familiar with the cited provision unless they were 
processing a request for Privacy Act records. The provision in Section 9 does not 
prohibit removing protected data from the worksite. While it does require that the 
agency implement procedures to ensure data is not removed from the worksite without 
proper authorization and documentation, we could not identify any such procedures. 
Also, the individuals we interviewed were not aware of any policies or procedures. 

We also could not identify any VA policy in effect at the time of the incident that required 
protected information stored on portable media be password protected or encrypted, or 
that the media devices or hard copy of records be secured by any specific means. VA 
Handbook 6300.4 only requires that "floppy disks" containing personal information 
subject to the Privacy Act will be "properly secured when not in use to prevent 
unauthorized use or access." Criteria to satisfy the "properly secured" requirement were 
not delineated in VA Handbook 6300.4 or any other VA policy that we were provided or 
that we located ourselves using the VA intranet. 

In response to our request, VA provided VA Handbook 501 1/5, which provides policy 
and procedures for telework. Although the employee was not teleworking when the 
incident occurred, the telework policy is significant because the program supports the 
concept of employees taking work from the VA worksite to their home or other remote 
location. The policy only prohibits taking, using, and storing "classified" information at 
the employee's home or telecenter. At VA, however, most VA employees do not handle 
classified data. The telework policy specifically allows employees to remotely access 
Privacy Act materials and VA data and systems provided the employee agrees to 
protect the records from unauthorized disclosure or damage. The policy also requires 
employees to comply with all legal requirements of the Privacy Act and other statutes, 
policies, and procedures, to protect the VA data and systems to which the employee will 
have access under the telework arrangement, but lacks sufficient detail to say how this 
should be done. 
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The use of non-VA computers to work at home or other remote location was not 
prohibited by VA's telework policy. Also, this policy does not require the same 
safeguards VA requires for VA owned computers. The policy does not require that 
personal computers be password protected, have antivirus or intrusion software, or that 
confidential or other protected information be encrypted or password protected, and 
does not have requirements for the destruction of data, even when non-VA computer is 
discarded. 

Employees who use VA's Virtual Private Network (VPN) to access the VA intranet 
remotely are required to comply with requirements for remote access. This provision 
has limited impact because employees are not required to have remote access to work 
from home or other remote site and the policy permits the use VPN on non-VA 
computers. Remote access through VPN only protects the firewall for VA's intranet; it 
does not prohibit the employee from downloading protected information and does not 
protect the information after it has been downloaded onto a non-VA computer. The 
ISOs, who have responsibility for obtaining signed Rules of Behavior for VPN users, told 
us that they do not have any involvement with telework arrangements unless the 
employee is using remote access to the VA intranet. 

Our review showed that current VA policies and procedures need to be clarified to 
distinguish between information law and information security law requirements. 
Information laws and regulations identify information to be protected from disclosure, 
establish the conditions under which the information may be disclosed, and prescribe 
penalties for illegal disclosure. Information law requirements applicable to personal 
information in records VA maintains include the Privacy Act;"" VA confidentiality 
statutes,^ and Health Insurance Portability and Accountability Act (HIPAA) regulations.^ 
These laws also prohibit the disclosure of proprietary information maintained by VA."* 

Conversely, information security laws focus on protecting automated systems that store 
the information from unauthorized access. Information security laws require VA to take 
action to protect the automated systems that contain protected information from 
unauthorized intrusions, unauthorized access, and viruses that can impact both the 
information system and the integrity of the information. The Federal Information 
Security Management Act of 2002 (FISMA)^ provides the framework for ensuring the 
effectiveness of information security controls over information resources that support 
Federal operations and assets. 

The circumstances surrounding the theft of the employee's personal external hard drive 
on which protected information was stored highlight a gap between information law and 
information security law requirements, and raises issues concerning the VA policies and 



^ Title 5 U.S.C. § 552a. 

^ Title 38 U.S.C. §§ 5701 (protects claims for benefits, including names and addresses), 5705 (protects 

medical quality assurance records), 7332 (protects records relating to the treatment of drug and alcohol 

abuse, sickle cell anemia, and HIV). 

^ Title 45 CFR§§ 160 efseq. 

^Title 18 U.S.C. §1905. 

^ Title III of Public Law 1 07-347, E-Government Act of 2002. 



VA Office of Inspector General 31 



Case 1:06-cv-01038-JR Document18-4 Filed 01/09/2007 Page10of30 
Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans 

processes designed to ensure compliance with these laws and how problems are 
investigated and resolved. 

Our review found that the gap is in the assignment of responsibility for establishing and 
enforcing VA policy with respect to these two sets of laws. Privacy Officers see their 
role as identifying the information that should be protected and the criteria for 
disclosure. Information Security Officers see their role as safeguarding information by 
protecting the automated systems in which the information is stored. The gap is 
safeguarding information not stored on VA automated systems. 

VA policies did not sufficiently address safeguards for protecting information from loss 
or theft when the information does not reside in a VA automated system. This includes 
hard copy records as well as records stored electronically on portable media storage 
devices and non-VA computers. Portable storage devices allow employees and 
contractors to store and transport millions of records to alternate work sites. While this 
could improve the efficiency of Government by allowing employees and contractors to 
work from remote and non-traditional locations, there are inherent risks associated with 
the removal of the data from a protected environment that can result in potential 
disclosure of protected information through loss or theft that need to be addressed in VA 
policies and procedures. 

Clarifications to VA policies are also needed in describing the terminology used when 
discussing issues of information law versus information security law. For example, the 
word "system" as used by ISOs refers to the automated systems, hardware, and 
program applications that store the information; whereas to a PO the word "system" 
refers to a "system of records" as defined in the Privacy Act. The Privacy Act and other 
confidentiality statutes use terms such as "privileged" or "protected" information, 
whereas FISMA uses the term "confidential" and VA policies use the term "personal" or 
"sensitive" to describe certain information. Personal information pertains to personal 
identifiers related to individuals such as social security numbers, dates of birth, claims 
numbers, and health information. Proprietary information relates to information 
provided by vendors during the acquisition process and internal configuration and 
design information concerning VA automated systems. We concluded that VA needs to 
apply consistent and comprehensive terminology throughout its policies and procedures 
to better standardize its criteria for safeguarding protected information. 

VA Training Tools Are Not Adequate to Ensure that VA and Contractor Employees 
Are Sufficiently Trained 

Our review of employees' and contractors' training on policies and procedures found 
that cyber security and privacy awareness trainings were inadequate. VA requires all 
VA employees and contractors who have access to VA's automated systems to 
complete training annually on cyber security awareness and privacy. We reviewed all of 
the training modules to determine whether they effectively informed employees and 
contractors about their duties, responsibilities, and accountability for protecting VA's 
automated systems and protected information. 
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We found that these modules are difficult to locate, do not adequately address 
safeguarding protected information when it is removed from VA premises, are not 
constructed to ensure that employees are tested on comprehension of course content, 
and that most modules are general in nature and do not contain citations or links to 
applicable directives. 

In our search of the VA intranet, we experienced difficulty locating the required training, 
netting over 100,000 possible matches when using the phrase "Cyber Security 
Training." Our search also revealed that a link on the VA intranet provides the 
questions and answers to questions asked during the training and allows employees to 
print a "Certificate of Training" without accessing the training module. 

Cyber Security Awareness training is basic in nature and does not cite any VA directive, 
handbook, or other policy relating to cyber security. For example, the training does not 
cite VA Directive 6210, which prohibits using e-mail to transmit protected information 
unless the information is encrypted. It also does not cite VA Handbook 6300.4, which at 
the time of the data loss, was the sole VA directive that addressed protection of 
information when removed from VA premises on floppy disks. 

We reviewed the three online training modules on privacy available to employees: 
"Privacy, Department of Veterans Affairs, and You," "Privacy Awareness for Senior 
Executives," and "VHA Privacy Policy Web Training," and found varying levels of 
specificity and effectiveness. 

• "Privacy, Department of Veterans Affairs, and You," which is geared to 
employees needing a general knowledge on privacy requirements, provides 
an adequate overview of privacy issues but does not reference specific laws 
or VA policies except the provision in VA Directive 6300 that addresses the 
destruction of records. 

• The "Privacy Awareness for Senior Executives Training" provides links to 
directives, manuals, and policies, and more detailed information on privacy 
protection, but lacks helpful ideas on how senior managers can implement 
policies to safeguard data adequately. A June 7, 2006, memorandum from 
the Under Secretary for Benefits to VBA employees states that the "Privacy 
Awareness for Senior Executives" training module does not satisfy the 
Secretary's training requirement. 

• The "VHA Privacy Policy Web Training" is the most detailed and 
comprehensive with respect to the applicable information laws and HIPAA 
requirements. It addresses the need to safeguard confidential information, 
but does not provide any specific requirements for how to protect the 
information. 
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None of the courses adequately tests employees' comprehension of course content. 
Employees can quickly click the screens to answer questions on cyber security without 
reading all information, and the VHA course can be completed without answering the 
test questions. All training modules require updating to reflect policies issued in the 
wake of the data loss. 

In response to the data loss, the Secretary directed that all VA employees and 
contractors to complete training on cyber security and privacy awareness by June 30, 
2006. While this is a good first step in increasing employee and contractor awareness, 
actions should be taken to reassess the sufficiency of these training materials, making 
them easier to locate and access, and strengthening the comprehensiveness of these 
courses. 

VA Employees and Contractors Do Not Have Appropriate Sensitivity Level 
Designations 

Our review of VA policy and selected employees' and contractors' sensitivity level 
designations found that VA employees either do not have appropriate sensitivity level 
designations or designations were inaccurate. 

VA Directive 0710 establishes policy for the management of the personnel suitability 
and security program. The Directive pertains to VA applicants, appointees, and contract 
personnel for identification of a position's risk level as it relates to the efficiency and 
integrity of the Federal service and for determining the scope of a background 
investigation as it relates to risk level. The Directive states that high and moderate risk 
level positions are normally designated as Public Trust, which may involve policy 
making, major program responsibility, public safety and health, law enforcement duties, 
fiduciary responsibilities, etc. 

VA Directive 0710 requires background screenings commensurate with the risk involved 
for any positions that require access to VA information systems. The Directive requires 
assessments for all positions by the appropriate ISO for the possible risk or harm that 
could result from an incumbent's loss, misuse, or unauthorized access to, or 
modification of, VA information, including the potential for harm or embarrassment to an 
individual who is the subject of the records. Although the ISO does the assessment, the 
final determination rests with the program office with delegated authority to make final 
suitability determinations. 

In the present case, VA officials recognized this problem once they realized that the 
employee, who had legitimate access to a large volume of protected information, had 
never been vetted through the background investigation process for suitability. The 
employee's risk level, as indicated on his VA Form 2280, Position Sensitivity Level 
Designation, dated April 5, 2001 , indicates that the position has a limited impact on the 
efficiency of the service with multi-agency scope of operations. 
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Our review revealed that a number of other employees assigned to OPP&P, some of 
whom have similar data access privileges, also had no suitability determinations. In 
fact, one of the systems of records that these employees have access to is BIRLS, one 
of the system extracts reported stolen on May 3, 2006. A recent assessment conducted 
at the request of VBA determined that the information sensitivity for BIRLS/VADS 
(Veterans Assistance Discharge System) was moderate for confidentiality, integrity, and 
availability. The evaluation also concluded that BIRLS/VADS should be classified as a 
mission critical system. 

Position sensitivity determinations also apply to contract personnel. Information Letter 
(IL) 90-0106 issued by VA Office of Acquisition and Materiel Management on July 16, 
2001 , provided procedures to facilitate the security programs for VA automated 
information systems and guidance on the acquisition process relating to the established 
background requirements for contractor personnel. The IL states that VA policy 
requires that contracts contain an investigative requirement for the contractor position 
based on the pre-determined position sensitivity level designation. The IL further states 
that automated systems that contain information that is subject to the Privacy Act, or the 
modification of which could adversely affect the performance of Federal programs, are 
designated as sensitive. The sensitivity designation in VHA is determined by each 
VISN office, which has resulted in inconsistent and inaccurate designations. 

A review of 20 selected proposals for contracts for physician services at VA medical 
centers showed that the positions in 16 proposals were designated as low-risk and a 
no-risk determination was made in the remaining 4 proposals. However, all of the 
physicians providing services under the contracts will have access to VA automated 
systems, including patient care records. The designation of low-risk is inconsistent with 
the level of responsibility and impact that these health care providers have on VA 
programs and operations. 

Staff at one of the three medical centers we visited told us that the level of risk was 
minimal because the physicians did not have access to sensitive information, even 
though they had access to Veterans Health Information System Technology 
Architecture (VistA). Another medical center indicated the level of risk determination 
was impacted by the cost of a background investigation, not the actual risk involved. 
We have previously recommended in our FISMA reports that risk assessments be part 
of every position description and contract. 

VA needs to insure that all positions have appropriate sensitivity designations and have 
nationwide designations for positions that have like or similar duties and access to VA's 
automated systems. Without these safeguards, VA systems and protected information 
at risk. 

Protected Information Provided to Contractors Is Not Adequately Safeguarded 

Our review of applicable VA policies, interviews of VA management, reviews of contract 
documents relating to solicitations and contracts from prior and ongoing OIG 
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investigations, audits, and reviews, and reviews of contract administration records at 
three VHA facilities determined that protected information provided to contractors was 
not adequately safeguarded. 

We found that VA policy requires inclusion of two specific clauses in contracts that 
include access to Privacy Act protected information, as required in the Federal 
Acquisition Regulation (FAR). VA Handbook 6210, "Computer Security Training 
Protocols," requires training for all VA elements and non-VA organizations that use VA 
automated systems, including contractors, which meets the requirements of FISMA. 

In our interviews with ClOs, POs, and ISOs, we were assured that contractors who were 
provided privacy information and/or access to VA's automated systems, including 
systems of records with patient related information, were notified of the provisions of the 
Privacy Act, other VA confidentiality statutes, VA Directive 6502, the associated 
handbooks, VA's cyber security policies, etc. We also were told that contractors were 
required to sign Rules of Behavior to have access to VA systems and that they were 
required to report privacy violations as required by VA Directive 6502.1. 

In our review of contract documents, we found that many contracts did not consistently 
include clauses to protect the information or the systems, contractors were not required 
to take and/or did not take Cyber Security and/or Privacy Awareness training, 
background investigations were not required or not done, and contractors were not 
always required to sign Rules of Behavior to access VA's automated systems. Also, 
contract documents seldom referenced or included VA policies relating to safeguarding 
protected information or the security of automated information systems. 

We selected 20 proposals submitted in response to solicitations for contracts for 
physician sen/ices that were to be awarded to VA affiliates under the provisions of 38 
U.S.C. § 8153. All 20 were subject to legal/technical review prior to being sent to the 
OIG Office of Contract Review for a preaward review. The results show that the 
majority of the proposals reviewed did not require contractor personnel to comply with 
VA's training requirements, to undergo background checks, or to report privacy 
violations as required by VA Handbook 6502.1 . The results of our review are as 
follows: 
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In addition to reviewing the 20 proposals, we visited three VA medical centers and 
reviewed documentation relating to the administration of contracts with affiliates for 
physician services. The following examples illustrate the vulnerabilities that exist with 
VA contracts in protecting VA systems and data: 
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• A contract for anesthesia services in effect since July 2005 had 29 physicians 
as potential providers. All 29 had been provided access to the surgical 
primary and secondary menus in VistA, which allows the user to view, enter, 
and edit patient information. None of the 29 physicians had any background 
checks. The Supervisory Human Resource (HR) Specialist told us that they 
generally do not conduct background checks for anesthesiologists because 
their jobs are not classified as sensitive positions. The Medical Center 
Director told us that ail physicians have lower-level background checks 
because they do not deal with sensitive information. We were told that for 
low-level rated positions, HR only needs to check references and obtain 
fingerprints. Only one of the 29 anesthesiologists had fingerprints on file and 
no other checks were done on any of the providers. Only five had Privacy 
Awareness training and seven had Cyber Security Awareness training, and 
three did not sign Rules of Behavior. 

• A contract for radiology services awarded on October 1 , 2005, identified 19 
physicians who could provide services under the contract. Eighteen 
physicians had been authorized access to VistA and 13 had VPN accounts 
for remote access. We found signed Rules of Behavior for all 18 physicians 
having VistA access. Background investigations had been completed on 12 
physicians. No requests for background investigations had been made for 
five of the physicians and background investigations were requested and 
pending for two physicians. The positions were all designated as non- 
sensitive, low-risk. Although Cyber Security Awareness and Privacy 
Awareness training had been completed by all 19 physicians, 8 of the 
physicians took the training after we announced our visit. An employee in the 
Chief of StafTs office acknowledged that the training was completed based on 
our planned visit. 

We reviewed contracts related to other OIG audits and reviews and found: 

• The Statement of Work (SOW) for a contract awarded in 2005 by VHA to a 
consultant for the evaluation of VHA's purchase of health care from the 
private sector stated the contractor would have access to both printed and 
electronic documents that may be protected by the Privacy Act and Title 38 
and that unauthorized disclosure is a criminal offense. FAR clauses 52.224-1 
(Privacy Act Notification) and 52.224-2 (Privacy Act) were included in the 
SOW. The specific Title 38 provisions were not identified and Privacy 
Awareness training was not required. The SOW stated that the contractor 
may have access to proprietary information and agreed by the terms of the 
contract to protect the information and to follow all Government rules and 
regulations regarding information security. The specific rules and regulations 
were not identified, and VA's Cyber Security and Privacy Awareness training 
were not required. Although the contractor was advised that background 
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checks may be required, the task was not assigned a sensitivity level and 
specific background checks were not required. 

• On May 1 3, 2005, VA issued a task order against an interagency agreement 

with DoD to have a Federally funded research group, IDA, perform a 
nationwide analysis relating to the variation in disability compensation claims, 
rating, and monetary benefits. Performance required access to protected 
information. Neither the interagency agreement nor the task order stated that 
the information provided the contractor will be protected under the Privacy Act 
or any other confidentiality statute. There was no requirement for Cyber 
Security or Privacy Awareness training, no sensitivity level determination, and 
no requirement for background investigations. 

Policies and Procedures for Reporting and Investigating Lost or Stolen Protected 
Information Are Not Well Defined in VA Policies 

Our review of relevant laws and VA policies and interviews of VA personnel determined 
that VA policies did not include adequate procedures reporting and investigation 
incidents involving lost or stolen protected information. In addition to not implementing 
procedures required by FISMA, VA did not implement the National Institute of 
Standards and Technology (NIST) recommendations for security incident responses. 
We also found three VA policies that address reporting privacy violations and 
information security incidents to be inconsistent with respect to the information that 
should be reported, the time frames required for reporting, and to whom the incident 
should be reported, including reporting to law enforcement. 

Section 3544 b (7) of FISMA requires VA to implement an agency-wide information 
security program that includes procedures for detecting, reporting and responding to 
security incidents. These procedures must include notifying and consulting with the 
Federal information security center as well as appropriate law enforcement agencies 
and relevant Offices of Inspector General. We did not identify a VA policy that 
implements this requirement. 

NIST Special Publication, "Computer Security Incident Handling Guide" (Guide), does 
not have specific requirements for reporting to law enforcement but does suggest that 
the response team become acquainted with various law enforcement representatives 
before an incident occurs to discuss conditions under which incidents should be 
reported to them, how the reporting should be performed, what evidence should be 
collected, and how the evidence should be collected. We did not identify any VA 
policies implementing the NIST recommendations. 

VA Handbook 6300.5, Procedures for Establishing and Managing Privacy Act Systems 
of Records, Section 6, Description of Privacy Act Reviews, paragraph g, states that VA 
employees are required to report any suspected criminal violations of the Privacy Act. It 
does not provide any specific time frame or instructions for reporting. This provision is 
not visible to the average employee because it is contained in a policy applicable to 
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employees involved In establishing and maintaining Privacy Act systems of records and 
in a paragraph that impacts employees conducting Privacy Act reviews. 

VA Directive 6210, Automated Information Systems Security, has not been updated 
since it was issued in January 1997. The Directive requires VA to establish, maintain, 
and enforce AIS security incident reporting and response capability to ensure that 
computer security incidents are detected, reported, and corrected at the earliest 
possible time. The Handbook requires that security incidents be reported to the ISO 
within 48 hours of the occurrence to the VA Information Resources Security Officer. 
The policy identifies specific information that must be reported, including whether the 
Inspector General or appropriate law enforcement organization was notified. It does not 
specifically mandate reporting the incident to the VA OIG or to another VA law 
enforcement entity, and it does not seem to pertain to the May 3, 2006, incident 
because the incident did not involve an unauthorized intrusion into VA's automated 
system. 

The Privacy Act and other information laws do not require reporting incidents. To 
comply with the provisions of HIPAA, VA issued VA Directive 6502 and VA Handbook 
6502.1. VA Handbook 6502.1 establishes VA-wide procedures for recording privacy- 
related complaints and violations in the VA Privacy Violation Tracking System (PVTS). 
The PVTS supports HIPAA's "documentation of complaints" requirement. The 
Handbook assigns POs the responsibility for recording all privacy-related complaints 
and violations, their updates, and resolutions to the PVTS as soon as possible. The PO 
also is tasked with resolving complaints and violations as soon as possible through 
corrective actions which include education, reprimand, sanction, or a determination that 
there was no breach. 

The process outlined in the Handbook is the same regardless of the magnitude of the 
violation. The only provision for referring a complaint or violation through the privacy 
hierarchy is if the PO cannot resolve the complaint or violation. In contrast to VA 
Handbook 6210, VA Handbook 6502.1 does not provide specific time frames for 
reporting, investigating, or resolving complaints or violations and does not specify what 
information must be ascertained during an investigation. 

VA Directive 6502, paragraph g (13), requires that VA officials "ensure that all alleged 
breaches of applicable Federal privacy law, that on their face, constitute a criminal 
violation of law, are referred for investigation to the Office of Inspector General." 
Whether this Directive applied to the May 3, 2006, incident is difficult to determine, 
because it would all depend on the facts presented at the time of the incident and the 
how the person receiving this information interpreted it. The application of this matter is 
discussed in more detail in Issue 4. 
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Policy Changes Implemented by VA Since the Incident Are a Positive Step, but 
More Needs to Be Done to Prevent Similar Incidents 

Our review of policy changes and communications issued by VA since the date of the 
information security incident determined that actions taken since May 3, 2006, are 
insufficient to prevent similar incidents in the future. We found that VA has taken 
positive steps in addressing the policy inadequacies, but additional actions are needed. 

VA has issued a number of statements and directives affecting the use of information by 
VA employees. VA has taken the following actions since May 3, 2006. 

• May 22, 2006 - Memorandum to all VA employees required ail employees to 
complete Cyber Security and Privacy Awareness training by June 30, 2006. 

• May 26, 2006 - Directive required all employees to complete Cyber Security 
and Privacy Awareness training by June 30, 2006. 

• June 5, 2006 - Memorandum required all organizations to identify teleworkers 
by June 6, 2006. 

• June 6, 2006 - Memorandum suspended the practice permitting VBA 
employees to remove claims files from the regular workstations in order to 
adjudicate claims from an alternative worksite. 

• June 6, 2006 - Memorandum issued VA IT Directive 06-2, which requires 
supervisory approval before removing confidential and Privacy Act protected 
information from the worksite in any data format. 

• June 7, 2006 - All organizations were directed to complete a data access 
inventory for each employee by June 21 , 2006. 

• June 7, 2006 - VA Directive 6504, Restrictions on Transmission, 
Transportation and Use of, and Access to, VA Data Outside VA Facilities. 

VA IT Directive 06-2 addresses some of the gaps in policy, including requirements for 
data encryption and password protection in accordance with VA policy when employees 
are authorized to remove electronic data. Directive 06-2 also requires employees who 
lose confidential or Privacy Act protected data to report the loss immediately to the 
facility or staff office ISO, the PO, and the employee's immediate supervisor. However, 
Directive 06-2 does not cover issues relating to loading, processing, and storing 
protected information on a non-VA computer or the destruction of the data/computer. In 
addition, it is not clear whether use of the term "confidential" refers to personal and 
proprietary information, as the term is used in FISMA, or if this means "confidential" as 
used by the DoD. If the later, the Directive does not protect proprietary information. 

Directive 6504 contains policy for 23 different items. With respect to the circumstances 
relating to the recent incident involving loss of data, the Directive permits VA employees 
to transport, transmit, access, and use VA data outside VA facilities only when such 
activities have been specifically approved by the employee's supervisor. The Directive 
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prohibits the use of non-VA owned equipment to access the VA Intranet remotely or to 
process VA protected information except as provided in the Directive. 

However, we found that the Directive was difficult to understand; too technical for the 
average employee to understand; used terms, such as "appropriate," that were too 
vague to ensure compliance; and made references to other applicable policies, 
guidelines, and laws without identifying them. 

The following actions by VA will further ensure protected information is safeguarded: 

• Issue one clear, concise policy on safeguarding protected information when 
stored and not stored on VA's automated systems. The policy should clearly 
define what information is protected from disclosure. 

• Address policies and procedures individually for accessing, using, 
transporting, and transmitting protected information. 

• Require that all VA employees and contract employees acknowledge that 
they received, reviewed, and understand the policy. 

• Modify Cyber Security and Privacy Awareness training to include references 
to all relevant VA policies and that users complete the training in their entirety 
to obtain certification. 

• Have one Privacy Awareness training program for all employees. 

• Consider prohibiting the use of non-VA computers to store and process VA 
protected information unless VA can be assured that the computers have the 
same level of safeguards to protect information as required for VA computers. 

• Ensure that all VA contracts contain terms and conditions to safeguard VA 
protected information. 

• Hold individuals accountable for non-compliance as well as responsible 
managers, supervisors, contracting officers, and contracting officer's technical 
representatives. 

Under the Privacy Act and other information laws, the Secretary is ultimately 
responsible for ensuring that protected information is safeguarded from inappropriate 
disclosure. To this end, the Secretary has the authority to issue and enforce national 
policy affecting VA employees and contractors who have access to protected 
information. Centralized policies for handling protected information will help ensure 
consistency in safeguarding the information and preventing the fragmentation, overlap, 
and the confusion that occurs when entities in VA issue their own policies. VA policies 
should also establish clear processes and procedures with well defined responsibilities 
for the reporting and investigation of protected information. 
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Conclusion 

Our review found that VA did not have policies and procedures in place that would have 
prevented the potential disclosure of protected information. The patchwork of existing 
VA policies was difficult to locate, fragmented, overlapping and confusing. VA's Cyber 
Security and Privacy Awareness training do not ensure that employees and contractors 
are adequately familiar with the applicable laws and VA policies. The fact that VA does 
not adequately assess sensitivity levels to positions increases the risk of future 
disclosure problems. In addition, VA contracts that involve access to protected 
information and access to VA's automated systems do not adequately protect the 
information or the automated systems. We also found that VA did not have clear, 
consistent policies and procedures in place to ensure employees take timely and 
appropriate action when information is lost or stolen and that VA needs to take further 
action to ensure similar disclosures of protected information are prevented in the future. 

Recommendations 

To address the issues raised in this section, we recommend that the Secretary: 

a. Establish one clear, concise VA policy on safeguarding protected information 
when stored or not stored on a VA automated system, ensure that the policy 
is readily accessible to employees, and that employees are held accountable 
for non-compliance. 

b. Modify the mandatory Cyber Security and Privacy Awareness training to 
identify and provide a link to all applicable laws and VA policy. 

c. Ensure that all position descriptions are evaluated and have proper sensitivity 
level designations, that there is consistency nationwide for positions that are 
similar in nature or have similar access to VA protected information and 
automated systems, and that all required background checks are completed 
in a timely manner. 

d. Establish VA-wide policy for contracts that require access to protected 
information and/or VA automated systems, that ensures contractor personnel 
are held to the same standards as VA employees, and that information 
accessed, stored, or processed on non-VA automated systems is 
safeguarded. 

e. Establish a VA policy and procedures that provide clear, consistent criteria for 
reporting, investigating, and tracking incidents of loss, theft, or potential 
disclosure of protected information or unauthorized access to automated 
systems, including specific timeframes and responsibilities for reporting within 
the VA chain-of-command and, where appropriate, to OIG and other law 
enforcement entities, as well as appropriate notification to individuals whose 
protected information may be compromised. 
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Issue 6: Whether Audits and Reviews of VA's Information 
Management Security Program Controls Continue to Identify 
Vulnerabilities 

During the past several years we have conducted a number of audits and evaluations 
on information management security and IT systems that have shown the need for 
continued improvements in addressing security weaknesses. We have reported VA 
information security controls as a material weakness in the annual Consolidated 
Financial Statements (CFS) audits since the FY 1997 audit. Our FISMA audits have 
identified significant information security vulnerabilities since FY 2001 . We continue to 
report security weaknesses and vulnerabilities at VHA health care facilities and VBA 
regional offices where security issues were evaluated during our Combined Assessment 
Program (CAP) reviews. We have also identified IT security as a Major Management 
Challenge for the Department each year for the past 6 years. 

Consolidated Financial Statement Audits Continue to Report Information Security 
as a Material Weakness 

As part of the CFS audit, IT security controls have been reported as a material 
weakness for many years. A material weakness is defined as a weakness in internal 
control that could have a material effect on the financial statements and not be detected 
by employees in the normal course of their business. We have reported that VA's 
program and financial data are at risk due to serious weaknesses related to: inadequate 
implementation and enforcement of access controls over access to financial 
management systems and data; improper segregation of key duties and responsibilities 
of employees in operating and maintaining key systems; underdeveloped IT service 
continuity planning; and inconsistent development and implementation of system 
change controls. 

Testing disclosed strong access authentication mechanisms and administration of user 
access have not been consistently implemented and enforced. There were ineffective 
monitoring and review of user access profiles. Intrusion detection mechanisms, and 
coordination and communication between Central Incident Response group and local 
security functions were not operating promptly and effectively to detect and resolve 
potential security violations from internal sources. Some systems have not been 
configured to support proper implementation of system segregation of duties. A 
business continuity plan at the departmental level has not been fully developed to 
provide overall guidance, direction, and coordination for IT service continuity and testing 
at certain medical facilities and data centers has not been consistently scheduled and 
adequately performed. Testing also disclosed that VA policy does not provide 
uniformed guidance for a wide-range of new and legacy applications to facilitate 
consistent implementation and effective monitoring of changes. As a result of these 
vulnerabilities, we recommended that VA pursue a more centralized approach, apply 
appropriate resources, and establish a clear chain-of-command and accountability 
structure to implement and enforce IT internal controls. 



VA Office of Inspector General 43 



Case 1:06-cv-01038-JR Document18-4 Filed 01/09/2007 Page22of30 
Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans 

CFS audits have also found that VA managers needed to: 

• Improve access control policies and procedures for configuring security 
settings on operating systems, improve administration of user access, and 
detect and resolve potential access violations. 

• Evaluate user functional access needs and system access privileges to 
support proper segregation of duties within financial applications. Assign, 
communicate, and coordinate responsibility for enforcing and monitoring such 
controls consistently throughout VA. 

• Develop a service continuity plan at the departmental level that will facilitate 
effective communication and implementation of overall guidance and 
standards, and provide coordination of VA's service continuity effort. 
Schedule and adequately test IT disaster recovery plans to ensure continuity 
of operations in the event of a disruption of service. 

• Develop a change control framework and, within that framework, implement 
application specific change control procedures for mission critical systems. 

VA has implemented some recommendations for specific locations identified but has not 
made corrections VA-wide. For example, we found violations of password policies 
which management immediately corrected, but in following years, we found similar 
violations at other facilities. We also found instances of terminated or separated 
employees with access to critical systems identified at various locations which 
management corrected, only to discover similar instances elsewhere. Consequently, 
we continue to report information security as a material weakness, which was 
highlighted in the VA FY 2005 Annual Performance and Accountability Report, dated 
November 15, 2005. 

Annual Evaluations of VA's Information Security Program Have Identified 
Vulnerabilities That Remain Uncorrected 

In all four FISMA audits of the VA Security Program issued since 2001, we reported 
vulnerabilities that continue to need management attention. These reports highlight 
specific vulnerabilities that can be exploited, but the recurring themes in these reports 
are the need for centralization, remediation, and accountability in VA information 
security. Since the FY 2001 report, we reported weaknesses in physical security, 
electronic security, and internal reporting, and since 2002, we also reported 
weaknesses in wireless security and personnel security. Additionally, we have reported 
significant issues with implementation of security initiatives VA-wide. 

The FY 2004 audit also emphasized the need to centralize the IT security program, 
implement security initiatives, and close security vulnerabilities. We previously 
recognized that the Office of the Assistant Secretary for Information and 
Technology/CIO office needed to be fully staffed, and that funding delays and 
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resistance by offices to relinquish their own security functions and activities delayed 
implementation of the fully centralized CIO contemplated by our prior recommendations. 
The ClO's comments to the report referenced an April 2004 VA General Counsel 
opinion that the CIO interpreted as restricting his office from gaining the authority to 
enforce compliance with the VA information security program, and hindering his ability 
to address the identified vulnerabilities. We again recommended that VA fully 
implement and fund a centralized VA-wide IT security program. 

The following 17 issues continue to warrant management attention. 

1. Implementation of a Centralized Aqencv-Wide IT Securitv Program 

The CIO is VA's focal point for IT matters. The Secretary has designated the Assistant 
Secretary for Information and Technology as the VA CIO. Although the CIO is 
responsible for VA's information systems, operational controls were decentralized 
among each administration within VA. The operational control was, until recently, 
vested with VHA, VBA, National Cemetery Administration (NCA), and other program 
offices in VA. The CIO provided guidance and the tools to support the activities with 
operational control to secure VA systems, but the CIO did not have the ability to enforce 
or hold officials accountable for non-compliance. The CIO was responsible for the 
general management of all VA IT resources, including policy guidance, budgetary 
review, and general oversight. However, the implementation of the information security 
program was accomplished by VA personnel who were not under the direct supervision 
or control of the CIO. 

VA informed Congress that it plans to move towards a "federated IT system" to realign 
department-wide IT operations and maintenance responsibilities under the direct 
authority of the CIO. The main feature of the realignment will place VA's IT budget, 
along with IT professionals involved in operation and maintenance work, directly under 
the authority of the CIO. However, IT employees involved in system development will 
remain under their respective administrations and staff offices (e.g., VHA, VBA, NCA, 
and some program offices). Given that the planned realignment has just begun, VA's 
federated IT system implementation plans will need further study. For example, we will 
need to review whether existing IT systems and operations under the purview of the 
CIO will efficiently and effectively communicate with newly designed applications 
implemented by these system development offices. 

2. Implementation of a Patch Management Program 

VA continues to review and address patch management issues to find long-term 
solutions. We previously identified a number of critical patches that were either not 
installed or not appropriately implemented at the VA facilities reviewed. VA did not have 
an enterprise-wide solution that could directly connect to over 250,000 points within VA. 
During our FY 2005 audit, VA continued to evaluate solutions to remediate this 
condition. VA was still in the process of developing and fully deploying a patch 
management program. VA's CIO identified roles and responsibilities to address VA 
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Enterprise Patch Management processes and standard operating procedures. A 
January 7, 2005, memorandum, Enterprise Patch Management, signed by the CIO, 
details patch management roles, responsibilities, and special considerations. 

3. Electronic Security 

Our reviews conducted at new sites visited during FY 2005 found potential 
vulnerabilities that we previously identified relating to password controls, remote access, 
and securing critical files. Additionally, we continued to find security vulnerabilities 
related to the lack of segregation of duties; unsecured critical files, which could allow 
attackers access to password files; and inappropriate access through remote access 
software. Our field work at facilities not previously visited in prior years found potential 
vulnerabilities warranting management attention. The reviews indicate that while 
managers at sites visited are addressing vulnerabilities identified during these reviews, 
sites not visited in prior years have not been advised that the vulnerabilities identified 
may be systemic in nature. VA needs a consistent approach at all of its facilities to 
effectively monitor networks and to use tools, such as electronic scanning, to proactively 
identify and correct security vulnerabilities. 

4. Personnel Security 

In FY 2005, we continued to find previously identified weaknesses related to position 
descriptions and training of VA employees and contractors. Sensitive position 
descriptions needed better documentation. We found the sensitivity rating was 
inaccurate for some employee positions at facilities reviewed and that position 
descriptions needed to more specifically address the levels of access relative to the 
positions' duties and responsibilities. 

5. Background Investigations 

VA needs to ensure that employee and contractor background investigation 
requirements are adequately identified and addressed. In FY 2005, we identified 
instances where background investigations and reinvestigations were not initiated in a 
timely manner on employees and contractors, or were not initiated at all. 

6. Deplovment and Installation of Intrusion Detection Systems 

Although much has been done, the VA's Office of Cyber and Information Security 
(OCIS) still needs to validate whether VA completed installation of Intrusion Detection 
Systems (IDS) at all sites. Deploying and installing IDS is a key step in the process of 
securing VA data systems on a national basis. Implementation of IDS increases VA's 
ability to detect intrusions. OCIS advised us that an enterprise-wide IDS has been fully 
implemented. In addition, OCIS is researching the benefits of moving to Intrusion 
Prevention Systems in an effort to provide VA the capability to detect and prevent 
"attacks." 
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7. Infrastructure Protection Actions 

VA needs to complete infrastructure planning efforts. During our FY 2004 audit, we 
found examples where the physical infrastructure had significant vulnerabilities and did 
not adequately protect data from potential destruction, manipulation, and inappropriate 
disclosure. During our FY 2005 field work, we found that VA was developing a Critical 
Infrastructure Protection Plan, and completed an identification and prioritization of 
critical information resources. 

8. Information Technology Centers' Continuity of Operations Plans 

VA is making progress and had completed Continuity of Operations (COOP) plans but 
full testing needs to be done. VA has issued an Emergency Preparedness 
Directive/Handbook 0320 for the VACO COOP. VA was developing a Master COOP for 
the entire VA, which will include all elements in the Central Office COOP. NIST 800-34, 
"Contingency Planning Guide for Information Technology Systems," dated June 2002 
recommends COOP testing should be accomplished at least annually. COOPs 
covering Information technology Centers (ITCs) need to ensure capabilities exist to 
provide necessary operational support in the event of disasters. Our field tests 
conducted in FY 2005 showed that the ITCs have completed these contingency plans, 
but that testing these plans needed to be jointly done among all program offices residing 
in the ITCs. After FY 2005 field work was completed, we learned that VBA-related 
hardware had been procured at one ITC to back up data, and some independent testing 
has been performed. VBA informed us that they recently conducted tests at their ITCs 
and performed disaster recovery exercises. While this is a step forward, joint testing by 
all covered ITC offices is needed. 

9. Certification and Accreditation Process 

During FY 2005 field work, we found that VA had placed a priority on the uncompleted 
Certification and Accreditation (C&A) process. The number of VA systems and major 
applications decreased from 678 in FY 2004 to 585 in FY 2005, as a result of VA 
combining applications or by removing previously reported systems that did not meet 
the NIST criteria. At the end of our field work in the summer of 2005, VA had not 
completed a C&A for all systems and major applications. The Secretary had made it a 
priority to complete all C&A work by the end of August 2005, and in November 2005, VA 
reported to the Office of Management and Budget that it had completed a C&A for all 
VA systems and major applications. 

10. Terminate/Upgrade External Connections 

In prior audits, we reported security risks associated with the operation of uncertified 
Internet gateways. As of FY 2005, VA took actions to mitigate these risks by limiting the 
number of Internet gateways in order to improve control over access to VA systems. 
Field work conducted in FY 2005 found that VA is still unable to determine if all 
extraneous external connections have been terminated. We are currently unsure of the 
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extent VA and its affiliated and non-affiliated partners may be operating their own 
gateways. We also found that the standard contract VA used to procure connputers 
included modem devices as a standard feature, which if retained in default settings 
could serve as access points for hackers attempting to gain entry into VA systems. A 
January 1 1 , 2005, OIG report on procurement of desktop modems prompted VA to 
amend its contract and to address the modem security vulnerabilities with all facilities. 

11. Configuration Management 

Prior year audits have found instances where VA networks relied on old operating 
systems such as Windows 95 and Windows 98, which placed the VA networks at risk 
due to the lack of vendor support to upgrade security and other features. An 
unsupported operating system, whether desktop or production mainframe, exposes VA 
to potential security and operational risks, including operating system failure. During FY 
2005 field work, we found VA had reduced the number of personal computers running 
Windows 95, but other aged computers must continue to operate due to special 
document scanners associated with The Imaging Management System. We were told 
that these scanners and personal computers are expected to be replaced or retired 
during FY 2006, if funds are available. Additionally, OCIS confirmed VHA has not 
completed the conversion of 162 older operating systems. In order to mitigate the risks 
associated with the older operating systems, VHA moved the devices to a virtual local 
area network configuration with restricted access. 

12. Movement and Consolidation of VACO's Data Center 

We previously reported that the VACO data center was located below ground level and 
experienced water damage twice in the last 10 years. VA reported the relocation of the 
VACO data center is in progress. In the interim, VA placed equipment in multiple 
locations throughout the Washington, D.C., metropolitan area until procurement and 
construction is completed at a new location. Even though progress has been made, we 
identified routers and switches that support VACO network operations that remain 
below ground level. 

13. Application Program/Operating System Change Controls 

VA change control policy does not provide uniform application development and change 
guidance for a wide range of new and legacy applications. Nationwide policy is 
necessary to facilitate consistent implementation and effective monitoring of system 
change controls for mission critical systems. For example, we found changes to a 
mainframe operating system and supporting hardware were not supported by local 
management authorization. Additionally, we found instances where changes to the 
production environment were not adequately documented or approved for major 
applications and critical systems. Consequently, unauthorized changes could have 
adversely affected the production environment or lead to misuse without warning. 
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14. Physical Access Controls 

At previous sites visited, VA was attempting to make improvements to ensure adequate 
measures were implemented to secure veterans' information and provide a safe 
environment for employees and visitors. However, our facility reviews at new locations 
showed physical access controls still need improvement. For example, a number of 
facilities granted access to computer rooms to employees who did not have a need to 
be in the computer room to perform their job function, and some contractors did not 
have an escort while in the computer room. 

15. Wireless Security 

VA is making progress in reducing wireless security vulnerabilities by securing its 
network from outside intrusion. Actions were taken to install an encryption wireless 
product that is designed to prohibit unauthorized users from accessing the network. 
However, our penetration test showed some vulnerability in the wireless network could 
be used to view transmissions, including those containing patient data, and to gain 
access to systems residing on VA's internal networks. Despite improvements, VA's 
information systems remained at risk for unauthorized access or misuse of sensitive 
information. 

16. Encrypting Sensitive Information on VA Networks 

VA has stated that it was taking interim steps to improve transmission of protected and 
sensitive information over its networks as sensitive data continues to be transmitted in 
clear text on VA networks. VA informed us that installation of encryption capabilities on 
some of its older platforms would render the systems inefficient. VA was looking for 
solutions to establish controls to secure electronic protected health information. Field 
tests conducted in FY 2005 continued to demonstrate the need to improve controls as 
our contractor's penetration test showed an intruder could successfully view protected 
health information in unencrypted clear text from outside a VA network. Site work also 
showed examples where unencrypted protected health information was vulnerable at 
other VHA facilities. The CIO informed us that a Transmission of Privacy Information in 
Clear Text work group was established to determine: (1) classes of data within the VA, 
(2) sensitivity ratings for these data classes, (3) strategies for implementing controls for 
the protection of these data classes, and (4) the most efficient and effective way to 
protect the privacy of veteran information electronically transmitted across the network. 

17. FISMA Reporting Database 

FISMA establishes security requirements and requires VA to annually report 
vulnerabilities for systems and major applications. While VA is taking actions to 
address security vulnerabilities, we continue to identify weaknesses that require a 
centralized and coordinated effort to ensure corrective actions are taken to control 
access, to secure computer rooms, and to ensure facilities accurately report their 
security deficiencies that place VA information and data at risk. The FISMA database 
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contains the self-assessment surveys of VA's nnajor applications and systems. System 
and application deficiencies, as well as funded and unfunded remediation plans, are 
reported and stored in this database. Consequently, this database needs to accurately 
demonstrate the security posture of VA's systems and major applications. Also, it 
should accurately depict the risk of loss of the critical and sensitive information 
contained within these systems and major applications. 

Comparisons of the sites visited to the entries in the FISMA database found that not all 
information was accurate or complete. Most inaccuracies involved reporting of the five 
levels of IT security program effectiveness outlined in the Federal Information 
Technology Security Assessment Framework. Additionally, we found no evidence that 
facilities were held accountable for information inaccuracies or incomplete data in the 
database. For example, fields requiring information pertaining to the amount of funding 
needed to correct deficiencies were incomplete. Areas needing clarification included 
physical security controls, risk assessments performed and documented as required, 
password controls, personnel sensitivity designations, and personnel background 
investigations. VA senior leadership needs this information to determine the costs to 
correct the conditions identified. With inaccurate or incomplete information in the 
FISMA database, VA senior leadership will not have a complete picture of VA's 
information security posture and the level of resources and funding needed to remediate 
security deficiencies. 

VA is currently developing policies and procedures for implementing a federated 
approach to managing IT security and resources, and is still in the process of 
addressing recommendations made during prior FISMA audits. VA has made progress 
during FY 2005 to improve IT controls and to implement some recommendations. For 
example, after the FY 2005 testing was completed, VA informed us that certification and 
accreditation reviews have been completed and the deployment of IDS has been 
accomplished. We will validate implementation in future annual FISMA audits. We 
have not made recommendations in reference to these issues because VA will 
comment on them in the most recent FISMA report. 

Combined Assessment Program (CAP) Reviews Sliow Information System 
Security Vulnerabilities Continue to Exist 

We continue to identify instances where out-based employees send veterans' medical 
information to the VA regional office via unencrypted e-mail; system access for 
separated employees is not terminated; monitoring remote network access and usage 
does not routinely occur; and off duty users' access to VA computer systems and 
sensitive information is not restricted. We continue to make recommendations to 
improve security and contingency plans, control access to information systems, 
complete background investigations and annual security awareness training, and 
improve physical security controls. 

While individual and regional managers have concurred with these CAP 
recommendations, and our follow-up process confirms actions to resolve the specific 
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conditions identified at these sites, we continue to find that corrective actions are not 
applied to all facilities to correct conditions nationwide. As a result, we continue to find 
these systemic conditions at other sites we visit. For example, 

• At a VA Healthcare System, we found that computer access privileges were 
not promptly terminated or modified when users separated from the facility. 
IT contingency plans did not include all critical elements to ensure continuity 
of operations during a disaster or emergency, and annual IT security 
awareness training was not completed by all active users. 

• At a VARO, we identified the need for managers to ensure that Benefits 
Delivery Network commands requested were necessary and that employees' 
claims folders were electronically locked. As employees' duties change, the 
allowed commands and the need for new BDN access commands needs to 
be evaluated. Testing found that 7 of the 20 access commands authorized 
permitted employees the rights to use more data files than was needed to 
perform their current assignments. 

Between FYs 2000 and 2005, the CAP program identified IT and security deficiencies in 
141 (78 percent) of 181 VHA facilities reviewed. We identified IT and security 
deficiencies at 37 (67 percent) of 55 VBA facilities reviewed. These reviews add further 
support to our conclusion that VA needs a centralized approach to standardize 
operations and address systemic issues nationwide. 

Conclusion 

Our CFS audits, FISMA audits, and individual CAP reports of VA medical facilities and 
regional offices all highlight specific vulnerabilities that can be exploited, but the 
recurring themes in these reports are the need for a centralized approach to achieve 
standardization in VA, remediation of identified weaknesses, and accountability in VA 
information security. Specific recommendations were not made in this section because, 
while the 17 recommendations remain unimplemented, they are listed in previously 
issued OIG reports. We will continue to follow up on these recommendations until fully 
implemented. 
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The Honorable George J. Opies 
Inspector General 

Departofittt of Veterans Affairs 
V¥ashtogton, DC 33420 

DearMr.Opfen 

Thank you for the opportunity to review' aund respond to the report on. events 
related to the Department of Veterans Affairs' (VA) data loss. 1 fully concur with the 
recommendaliOm contain«xl. In the report. 

Tiw tragic isvenl that was the impettts for the report exposed defidcndes in 
information seairity invoh'ing leadership, policies and procedures. That will change 
during my tenure as Secretary of Veterans Affairs. On June 28, 2006, 1 signed a 
memorandum delegating to the V A Chief information Officer (CIO) ail authority'- and 
responsibilities given to me by the Federal Infonnation Security Management Act 
(PISMA). TI\is delegation restructures responsibilities and authorities for information 
securitv here at the VA and initiates the needed cultural changes that must occur. 1 have 
ntade it clear to all senior managers in the Department that information security, cyber 
securitj' and the reorganization of the Office of Information Technology (OIT) are my top 
priorities going forward. 

I have promised our veterans and employees that VA will become a Gold Standard 
and recognized leader in security of perscmal jMormation. I will settle for notiung less. To 
accomplish this ambitious goal we must work diligently to establish a culture that 
embraces these standards. We will not stop until we have accomplished our objective of 
leading tl^e federal government in information and cyber securitj' policies and procedures, 
just as we accomplished the monumental change in our health care sj'stem over the pa.st 
decade. VA is the leader in patient safet>' and qualit\' of care, and we can become the 
leader in information security. 
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